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ABSTRACT 


The technological age has forced the U.S. to engage a new set of national 
security challenges. Several potential adversaries have cyberspace capabilities 
comparable to those of the U.S., and are constantly conducting surveillance, 
gathering technical information, and mapping critical nodes that could be 
exploited in future conflicts. How can the U.S. government best defend against 
future cyber attacks? Recent policy documents set out a strategy for securing all 
of cyberspace, which experts argue is impossible to implement, but also 
unnecessary. This thesis seeks to move the discussion beyond this stalemate by 
undertaking an analysis of the vulnerability of cyberspace to terrorist attacks. 
The first analysis examines the Code Red Worm and the Slammer Worm. These 
two worms were selected because they were highly destructive and spread faster 
than normal worms, making them well suited for assessing the existing security 
of computers and networks. The next analysis examines a staged cyber attack 
on critical infrastructure, entitled Attack Aurora. In the staged Aurora attack, 
researchers from the Department of Energy’s Idaho lab hacked into a replica of a 
power plant’s control system. This attack is the most recent staged attack and 
facilitates an analysis of vulnerabilities of critical infrastructures to cyberterrorism. 
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I. INTRODUCTION 


The information age has forced the U.S. to engage a new set of national 
security challenges. It now relies on the communication infrastructure to 
exchange information on strategic and tactical operations and provide services 
such as telecommunications, finance, aviation, transportation, electrical power, 
gas, and government/administration. Along with the rewards of an ubuquitous 
communication infrastructure comes new risks, including the threat of 
“cyberterrorism.” This form of terrorism could cause havoc with critical 
infrastructures. Several potential adversaries have cyberspace capabilities 
comparable to those of the U.S., and are constantly conducting surveillance, 
gathering information, and mapping critical nodes that could be exploited in 
future conflicts. As a result, the U.S. can no longer rely on its geographical 
location in preventing an attack. 

Denning describes cyberterrorism as “unlawful attacks and threats of 
attacks against computers, networks and information stored therein when done 
to intimidate or coerce a government or its people in furtherance of political or 
social objectives” and should “result in violence against persons or property, or at 
least cause enough harm to generate fear.”i Cyberterrorism involves leveraging 
cyberspace as a primary weapon to generate political or social change. It is 
important to recognize that cyber-terrorism is a tactic that can be used to achieve 
broader strategic objectives.^ 

The cyberterror threat is exacerbated by the fact that the ability to network 
has far outpaced the ability to protect networks. The internet was designed as an 


^ Dorothy Denning, “Cyberterrorism,” Global Dialogue, August 24, 2000, 1, 
http://www.cs.georgetown.edu/~denning/infosec/cyberterror-GD.doc, accessed 7 September 
2007. See aiso Paraphrased from Bruce Hoffman’s Inside Terrorism. NY: Coiumbia University 
Press, 1998. 14-15. 

2 Concepts derived from Dorothy Denning, prepublication copy of “Cyberterrorism”, Global 
Dialogue, August 24, 2000, 1. Accessed on-line at 

http://www.cs.georgetown.edu/~denning/infosec/cyberterror-GD.doc on 7 September 2007. 
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open platform, lending accessibility to those who know how to access the 
platform. Furthermore, most information systems have been engineered in the 
most economically efficient manner, and are therefore dependent upon a small 
number of applications. This makes them exceptionally vulnerable to attack.3 
Internet connected computers or servers are broken into every 20 seconds by 
hackers, identity thieves, and other mischievous people who want to cause 
havoc to networks. Terrorist could easily copy the techniques of these groups, 
giving them the power to disrupt parts of the cyberspace network.^ 

Due to advanced adversary technology, enemies now can choose 
between military and commercial information operation infrastructures. Enemies 
know that the Department of Defense (DOD) has several networks within the 
Pentagon; however, they also know that all U.S. commerce is accomplished 
utilizing commercial systems and networks. As the U.S. government spends 
resources protecting one area, the other area is vulnerable to attack.5 

Conversely, cyberterrorism conjures up images of vicious terrorists 
unleashing catastrophic attacks against computer networks, wreaking havoc, and 
paralyzing nations.^ While the cyberterrorism threat has increased, the fears of 
many Americans are exaggerated.^ Generic distrust of computer technology, 
overblown articles in the media, and a lack of understanding of government 
strategies and policies combine to generate panic. 

How can the U.S. government best defend against future cyber attacks? 
Recent policy documents set out a strategy for securing all of cyberspace, which 


2 Russell Howard and James Forest. Homeland Security and Terrorism (New York, NY: 
Mcgraw-HIII, 2006), 116. 

^ Brian Krebs. “A Cybersecurity Role for Uncle Sam?” (April 2004); Russell Howard and 
James Forest. Homeland Security and Terrorism (New York, NY: Mcgraw-HIII, 2006), 126. 

5 Ibid., 3. 

6 Gabriel Welmann. “The Sum of All Fears?” Studies in Conflicts and Terrorism 28, no.3 
(2005):5. 

^ Gabriel Welmann. Terror on the Internet (London: New York: USIP Press, 2006), 24-27; 
Gabriel Welmann. “The Sum of All Fears?” Studies in Conflicts and Terrorism 28, no.3 (2005):5. 
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experts argue is impossible to implement, but also unnecessary. 8 This thesis 
seeks to move the discussion beyond this stalemate by undertaking an analysis 
of the vulnerability of cyberspace to terrorist attacks, and then evaluating whether 
the potential costs and loses associated with such attacks are acceptable or 
indicate a need for improved cyberterrorism preparedness. 

A. LITERATURE REVIEW AND THESIS ARGUMENT 

There is a consensus in the literature on the nature of cyberterrorism 
threats. Because the internet was designed as an “open platform,” adversaries 
can easily access vital information and disrupt information processing in critical 
areas.9 Such attacks may come from individuals, non-state actors such as 
terrorist organizations, or states.''0 The largest potential threat in today’s security 
environment is from terrorist organizations and this will therefore be the focus on 
this thesis. Organizations such as Al-Qaeda may seek to use information 


^ Joint Publication (JP) 3-13: Information Operations, Feb 13, 2006, Washington DC: Office 
of the Chairman, Joint Chiefs of Staff, 2006, http://www.dtic.mii/doctrine/iei/new pubs/ips 13.pdf 
Accessed (Aprii 27, 2007); Air Force Doctrine Document (AFDD) 2-5: Information Operations, 
Jan 11,2005, Washington DC: Air Force Pubiishing, 2005, http://www.e- 
pubiishinq.af.mii/pubfiies/af/dd/afdd2-5/afdd2-5.pdf Accessed ( Aprii 27, 2007). “The Nationai 
Strategy to Secure Cyberspace” (February 2003) http://www.whitehouse.qov/pcipbi Accessed 
(December 5, 2006). 

9 Brian Lewis, “information Warfare” http://www.fas.orq/irp/eprint/syder/infowarfare.htm 
Accessed ( December 5, 2006). Russeii Howard, Homeland Security and Terrorism (New York: 
Mcgraw-Hiii Companies, 2006), Chapter 10. “Speciai Action Pian on Countermeasures to Cyber¬ 
terrorism of Criticai infrastructures” (February 2004) 

http://www.kantei.qo.ip/foreiqn/it/securitv/2001/cvber terror sum.htmi Accessed (February 7, 
2007). “Federai Bureau of investigation, Congressionai Testimony” 

http://www.fbi.qov/conqress/conqress02/nipc072402.htm Accessed (February 7, 2007).“Cyber 
Security” (February 2005) 

http://www.nitrd.qov/pitac/reports/20050301 cvbersecuritv/cvbersecurity.pdf Accessed (February 
7, 2007). 

"'0 Frank Ciiiuffo and Nichoias Paui. “Cyberstrategy 2.0,” (Spring 
2006) http://www.securitvaffair.orq/issues/2006/10/ciiiuqqo nichoias.php Accessed (December 5, 
2006). U.S. Congress, House Committee on Energy and Commerce, Subcommittee on 
Teiecommunications and the internet. Cybersecurity Protection, testimony of Mr. George S. 
Forseman, 13 Sep 2006, accessed via Lexis/Nexis on 1 Feb 07. Report to Congressional 
Requestors on Internet Infrastructure, Report number GAO-06-672, Washington, D.C., 
Government Accountabiiity Office. 
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systems as “Weapons of Mass Effect” (WMEs) to gather information that will 
harm the U.S. communication infrastructure or significant portions of itJ'' 

To confront the cyber threats to the Internet and portions of the 
communication infrastructure, the Joint Staff published Computer Network 
Operations (CNO), and the U.S. Air Force (AF) published the Network Warfare 
Operations doctrine in 2006.These doctrines state that joint and AF forces will 
perform the mission of Computer Network Defense (CND) and Network Defense 
(NetD).i3 Several other government documents focus on cyberwarfare strategy 
and policy. Other government publications discuss policies aimed at reducing 
the vulnerabilities of critical infrastructure and information systems before cyber 
attacks occur.i4 The National Strategy to Secure Cyberspace seeks to protect all 
critical infrastructures, both public and private. Noting that cyberspace is 
comprised of a myriad of interconnected computers, servers, routers, switches, 
and fiber optic cables that allow our critical infrastructures to work, the strategy 
provides direction to the federal government departments and agencies that have 
roles in cyberspace security and delineates steps that agencies, companies, and 
local governments can take to improve cyber security. In short, the strategy 


"I"IFrank Cilluffo and Nicholas Paul. “Cyberstrategy 2.0,” (Spring 
2006) http://www.securitvaffair.ora/issues/2006/10/cillugqo nicholas.php Accessed (December 5, 
2006). U.S. Congress, House Committee on Energy and Commerce, Subcommittee on 
Telecommunications and the Internet, Cybersecurity Protection, testimony of Mr. George S. 
Forseman, 13 Sep 2006, accessed via Lexis/Nexis on 1 Feb 07. Report to Congressionai 
Requestors on Internet Infrastructure, Report number GAO-06-672, Washington, D.C., 
Government Accountability Office. 

Joint Publication (JP) 3-13: Information Operations, Feb 13, 2006, Washington DC: Office 
of the Chairman, Joint Chiefs of Staff, 2006, http://www.dtic.mil/doctrine/iel/new pubs/jps 13.pdf 
Accessed (April 27, 2007). 

Air Force Doctrine Document (AFDD) 2-5: Information Operations, Jan 11,2005, 
Washington DC: Air Force Publishing, 2005, http://www.e-publishina.af.mil/pubfiles/af/dd/afdd2- 
5/afdd2-5.pdf Accessed (April 27, 2007). 

Information Operations Roadmap (DECLASSIFIED); Gregory Rattray, Strategic Warfare in 
Cyberspace, Cambridge MA: The MIT Press, 2001. Information Warfare - Defense (IW-D), 
Washington DC: Office of the Under Secretary of Defense for Acquisition and Technology, 1996; 
a compendium of articles in Alan D. Campen, Douglas H. Dearth, and R. Thomas Gooden, eds. 
Cyberwar: Security, Strategy, and Conflict in the Information Age, Fairfax, VA: Armed Forces 
Communications Electronics Association International Press, 1996. Arthur F. Galpin, Computer 
Network Defense for the United States of America, Carlisle Barracks PA. 
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highlights the role of public-private engagement and provides a framework for 
contributions at all levels to secure various parts of cyberspace. 

The above policy documents clearly establish that the U.S. government 
believes it can and should secure all of cyberspace. However, many private 
experts argue that this is neither possible nor necessary. The National Strategy 
to Secure Cyberspace contains three strategic objectives: to prevent cyber 
attacks against America’s critical infrastructures, to reduce national vulnerability 
to cyber attacks, and to minimize damage and recovery time from cyber attacks 
that could possibly occur. Critics argue that in order to secure all of cyberspace, 
it would be necessary to secure the “ephemeral space that exists only in relation 
to the medium of the internet,” which is inherently chaotic and beyond the reach 
of any organized central control.16 Thus, the U.S. government objective is simply 
unattainable. However, these experts also suggest that securing cyberspace in 
not necessary, noting that there is no recorded instance of a terrorist cyberattack 
on the Internet, networks, U.S. public facilities, transportation systems, nuclear 
power plants, power grids, or other key components of the national 
infrastructure.'!'^ 

The U.S. government has not responded to the critics on the record. 
Instead, the National Strategy seems to have slipped in importance for both the 
Bush administration and the IT industry. There has been a dramatic decrease in 
the visibility of the strategy since its signing in February 2003. This has left the 
fundamental issues surrounding cyberterrorism and cyberdefense unresolved. 
This thesis therefore seeks to address them through analysis of the available 

“The National Strategy to Secure Cyberspace” (February 2003) 
http://www.whitehouse.qov/pcipbl Accessed (December 5, 2006). “Critical Infrastructure 
Protection” (January 2003) http://www.whitehouse.aov/news/releases/2001 /10/20011016 
Accessed (December 5, 2006). 

16 Michael Simmer. “The Tensions of Securing Cyberspace: The Internet, state power and 
the National Strategy to Secure Cyberspace” (March 2004):11. “The National Strategy to Secure 
Cyberspace” (February 2003) http://www.whitehouse.gov/pcipbl Accessed (December 5, 2006). 

1^ Michael Simmer. “The Tensions of Securing Cyberspace: The Internet, state power and 
the National Strategy to Secure Cyberspace” (March 2004). “The National Strategy to Secure 
Cyberspace” (February 2003) http://www.whitehouse.qov/pcipbl Accessed (December 5, 2006). 
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evidence to determine if the current level of cybersecurity is sufficient or if 
additional investment in cyberdefense is required. 

B. METHODOLOGY 

In order to provide a grounded analysis of existing evidence, this thesis uses 
a within case analysis of non-terrorist cyber attacks on computers and web site 
servers, and a simulated terrorist attack on critical infrastructures in the United 
States. Cyber attacks on computers and servers are well known and straightforward. 
In such cases, terrorist attacks would generate economic and psychological costs to 
the individual and corporate owners and users of computers and networks, 
respectively. Cyber attacks on critical infrastructure pose a less widely recognized 
threat, and a potentially much more dangerous one. The federal government has 
identified eight important sectors of the economy that are critical to national security 
and the essential functioning of the U.S. economy: telecommunications, 
transportation, water supply, oil and gas production, banking and finance, electrical 
generation, emergency services, and essential government functions. 18 All of these 
systems have one item in common—their dependence on information systems 
that are susceptible to cyber attack.i9 


Michael O’Neil “Critical Infrastructure Protection: Threats to Privacy and Other Civil 
Liberties and Concerns with Government Mandates on Industry,” Depaul Business Law Journal 
Vol 12, p. 97, 1999/2000, http://www.cdt.ora/publications/lawreview/2000depaul.shtml Accessed 
(December 5, 2006). 

Michael O’Neil “Critical Infrastructure Protection: Threats to Privacy and Other Civil 
Liberties and Concerns with Government Mandates on Industry,” Depaul Business Law Journal 
Vol 12, p. 97, 1999/2000, http://www.cdt.ora/publications/lawreview/2000depaul.shtml Accessed 
(December 5, 2006).The vulnerability of critical infrastructures and the unique risks associated 
with networked computing have been recognized for some time. However, the issue was given 
new urgency by the report of the President's Commission on Critical Infrastructure Protection 
(PCCIP) in October 1997, which highlighted the topic of critical infrastructures and made a series 
of specific recommendations for their protection. On May 22, 1998, the President approved 
Presidential Decision Directive 63 establishing a national critical infrastructure protection policy 
and a government framework to develop and implement infrastructure protection measures. Key 
organizations created in that directive were a National Infrastructure Protection Center (NIPC), 
located within the Federal Bureau of Investigation (FBI), with operational responsibilities, and a 
Critical Infrastructure Assurance Office (CIAO), administratively located in the Department of 
Commerce, which provides planning and coordination support to a National Coordinator for 
Security, Infrastructure Protection, and Counter-terrorism, who is located in the National Security 
Council. On January 7, 2000, the Executive Branch issued its national plan for critical 
infrastructure protection. The document sets out a ten point program, focused on protection of the 
federal government's information systems. 
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The next chapter examines the Code Red Worm and the Slammer Worm. 
In laymen’s terms, a worm is a form of a virus designed to copy itself by utilizing 
e-mail or other software applications. The main goal of using this technique is to 
permeate the network or portions of the Internet with malicious code that will 
affect the performance of certain software applications or will totally bring 
applications to a halt.^o These two worms were selected because they were 
highly destructive and spread faster than normal worms, making them well suited 
for assessing the existing security of computers and networks. They were both 
attacks on computers, but the Slammer Worm also affected the network, and so 
can be used to assess the likely impact of a cyber terror attack on the network 
itself. The third chapter examines a staged cyber attack on critical infrastructure, 
entitled Attack Aurora. In the staged Aurora attack, researchers from the 
Department of Energy’s Idaho lab hacked into a replica of a power plant’s control 
system. This attack is the most recent staged attack and facilitates an analysis 
of vulnerabilities of critical infrastructures to cyberterrorism. 

An adapted version of the CARVER -i- Shock model will be utilized for the 
analysis in each case. This model was originally developed by the military and 
later revised to assess possible vulnerabilities in the food industry looking at 
factors such as cost, impact, and recoverability within systems and 
infrastructures. The model breaks a potential target into segments and 
considers, per the acronym, its criticality, accessibility, recuperability, 
vulnerability, effect of loss, and recognizability elements. These elements are 


20 “The Menace of Worms” (October 2007) 

http://www.emisissoft.com/en/kb/articles/tec050629 Accessed (September 1,2007). There are 
four types of worms: Instant messaging, Internet Relay Chat, File-sharing Network, and Internet. 
Instant messing worms infect websites to everyone on a local contact list. They have a minimal 
impact on software performance. Internet relay chat worms attack chat channels and spread 
malicious code by sending infected files or by sending links to infected websites. These type of 
worms can slow down network performance by 25%. File-sharing network worms copy 
themselves into a shared folder. This worm will place a copy of itself in a shared folder under a 
harmless name. Due to this fact, the worm would be ready for down load over any network and 
would spread malicious code throughout the entire network. These worms slow down network 
performance by 50%. Internet worms will scan all available network resources using local 
operating system services and scan the Internet for vulnerable machines. These worms slow 
down the network by 75%. 
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then analyzed to assess the shock, or psychological impact, of an attack, in 
addition to the economic impact .21 Table 1 gives a short description of each 
CARVER + Shock element. 

Figure 1 delineates the five point scales assigned to each of the elements 
of the original CARVER + Shock model. It also conveys the criteria for each of 
the assigned scales and shows how scores of 1 to 10 are assigned. The 
maximum total number of points in the original model is 70. Scores of 35 or 
higher warrant additional food system protection. This number is 50% of the total 
and is subjective, based on criteria set forth by the USDA .22 


Element 

Description 

Criticality 

Considers the public health and economic impacts of a successful 
attack. 

Accessibility 

Relates to the attacker’s physical access to the target. The target is 
accessible when the attacker has sufficient resources along with the 
physical ability to reach a specific location and achieve the desired 
effect. 

Recognizability 

The ease of identifying a target and is more significant for “outside” 
attackers. 

Vulnerability 

Evaluates whether the attacker has the means and resources 
accomplish an attack with the desired effect. 

Effect 

Relates to the actual, direct and immediate impact of the attack. 

Recuperability 

Ability to recover from an attack financially. 

Shock 

Focuses on the psychological effects of an attack and incorporates 
both the short and long-term behavioral changes that may be 
precipitated by an attack. 


Table 1. CARVER Definitions^s 


21 “How to Effectively use the CARVER+Shock Method of Assessing Risk and 
Vulnerabilities” (April 2006) http://www.afdo.org/afdo/Conferences/upload/060617-0815-1 -Rigby- 
AFDO%20CARVER%20training.pdf Accessed (July 29, 2007). 

22 US FDA/CSFAN CARVER + Schock Testomonial, web live video, directed by USD 
Accessed on line at http://www.cfsan.fda.gov/~dms/vltcarv.html Accessed (November 2007). 

23 US FDA/CSFAN CARVER + Schock Testomonial, web live video, directed by USD 
Accessed on line at http://www.cfsan.fda.gov/~dms/vltcarv.html Accessed (November 2007). 
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Criticality Scale 


Criteria 

Scale 

Loss of over 10,000 lives or loss of more than $100 billion. 

9-10 

Loss of over 1000 -10,000 lives or loss of $10 billion - $100 billion. 

7-8 

Loss of 100 - 1000 lives or loss of $1 billion -$10 billion. 

5-6 

Loss of less than 100 lives or loss of less than $1 billion. 

3-4 

No Loss of live or loss of less than $100 million 

1-2 


Accessibility Scale 


Criteria 

Scale 

Easily Accessible 

9-10 

Accessible 

7-8 

Partially Accessible 

5-6 

Hardly Accessible 

3-4 

Not Accessible 

1-2 


Recuperability Scale 


Criteria 

Scale 

> 1 year 

9-10 

6 months to 1 year 

7-8 

3-6 months 

5-6 

1-3 months 

3-4 

< 1 month 

1-2 


Vulnerability Scale 


Criteria 

Scale 

Target characteristics allow for easy introduction of sufficient agents to achieve 
aim. 

9-10 

Target characteristics almost always allow for easy introduction of sufficient 
agents to achieve aim. 

7-8 

Target characteristics allow 30 to 60% probability that sufficient agents can be 
added to achieve aim 

5-6 

Target characteristics allow 10 to 30% probability that sufficient agents can be 
added to achieve aim 

3-4 

Target characteristics allow low probability (less than 10%) sufficient agents can 
be added to achieve aim 

1-2 
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Effect Scale 


Criteria 

Scale 

Greater than 50% of the system’s production impacted. 

9-10 

25 - 50% of the system’s production impacted. 

7-8 

10-25 % of the system’s production impacted. 

5-6 

1 - 10 % of the system’s production impacted. 

3-4 

Less than 1% of the system’s production impacted. 

1-2 


Recognizability Scale 


Criteria 

Scale 

The target is cieary recognizabie and requires iittie or no training for recognition. 

9-10 

The target is easiiy recognizabie and requires oniy a smaii amount of training for 
recognition. 

7-8 

The target is difficuit to recognize or might be countered with other targets or 
target components and requires some training for recognition. 

5-6 

The target is difficuit to recognize, it is easiiy confused with other targets or 
components and requires extensive training for recognition 

3-4 

Less than 1% of the system’s production impacted. 

1-2 


Shock Scale 


Criteria 

Scale 

Target has major historicai, cuiturai, reiigious, or other symboiic importance. 

Loss of over 10,000 iives. Major impact on sensitive subpopuiations, e.g. 
chiidren or eideriy. Nationai economic impact more than $100 biiiion. 

9-10 

Target has high historicai, cuiturai, reiigious, or other symboiic importance. 

Loss of between 1,000 - 10,000 iives. Significant impact on sensitive 
subpopuiations, e.g. chiidren or eideriy. Nationai economic impact between $10 
and $100 biiiion. 

7-8 

Target has high historicai, cuiturai, reiigious, or other symboiic importance. 

Loss of between 100 - 1000 iives. Moderate impact on sensitive subpopuiations, 
e.g. chiidren or eideriy. Nationai economic impact between $1 and $10 biiiion. 

5-6 

Target has iittie historicai, cuiturai, reiigious, or other symboiic importance. 

Loss of iife iess than 100. Smaii impact on sensitive subpopuiations, e.g. 
chiidren or eideriy. Nationai economic impact between $100 miiiion and $1 
biiiion. 

3-4 

Target has no historicai, cuiturai, reiigious, or other symboiic importance. 

Nationai economic impact iess than $100 miiiion 

1-2 


Figure 1. CARVER + SCHOCK MODEL24 


24 US FDA/CSFAN CARVER + Schock Testomonial, web live video, directed by USD 
Accessed on line at http://www.cfsan.fda.gov/~dms/vltcarv.html Accessed (November 2007). 
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I have revamped the CARVER + Shock model to make it relevant to an 
accurate analysis of cyberattacks. The elements of Accessibility and 
Recognizability were removed as these add little or no value in analyzing 
cyberattacks. In addition, it was necessary to change the criteria and scaling for 
the Criticality and Vulnerability portions of the model. Under Criticality, the 
original model looked at loss of lives and economic damage for the criteria and 
scaled them using data pertinent to the food industry. I have utilized the same 
equation as the original CARVER + Shock model (looked at nine years of data 
and then took the average for my median scale number) but replaced criteria 
data with cyber data from congressional economic reports.25 Secondly, I have 
replaced the Vulnerability segment from the introduction of harmful food supply 
agents with security data taken from prevention and recovery documentation.26 
This information is critical to cyberattacks because the amount of security that a 
system has available and in place, impacts all of the other elements in the new 
model. Finally, the Effect element scale is based on an annual basis. To ensure 
numbers are not inflated, percentages have been recalculated accordingly. For 
example, if total restoration time for an attack is recorded as 60 days, and reports 
estimate and approximate percent of productivity loss, 1/6 would be multiplied by 
the actual percent given to ensure numbers reflect an annual loss.27 


25 CRS Report For Congress, The Economic Impact of Cyber-Attacks, 1 Apr 2004, accessed 
via Lexis/Nexis on 1 Feb 07. Information Security, testimony of Mr Keith A. Rhodes, Report 
number GAO-01-1073T, Washington, D.C., Government Accountabiiity Office, 5-7. The 
information replaces original information under the Criticality segment of the Carver -i- Shock 
model. Just like in the original CARVER segment, an average was taken to accurately scale 
numbers from 1-10. 

26 “Detect, Deploy, and Defend Against Outside Threats,” Novell, 2006 http://www.novell.com 
Accessed (July 27, 2007). Criteria from original CARVER Model: Target characteristics allow for 
easy introduction of sufficient agents to achieve aim. Target characteristics almost always allow 
for easy introduction of sufficient agents to achieve aim. Target characteristics allow 30 to 60% 
probability that sufficient agents can be added to achieve aim. All three of these are changed in 
the new model, respectively, to: No software security installed with no security procedures in 
place. Minimal software security installed with minimum security procedures in place. Medium 
software security installed with adequate security procedures in place. 

27 By changing the production loss to an annual figure gives a more realistic number for the 
model. For instance, if organizations lose 25% of their productivity for 60 days due to Internet 
performance, they are not losing the production for the whole year. This adjustment ensures the 
model captures the most accurate data to assess attacks. 
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The total cumulative points for the new CREVS (Criticality, Recovery, 
Effect, Vulnerability, Shock) model are 50. As in the CARVER model, 50% of the 
cumulative was taken to indicate a need for additional cyber security measures. 
Therefore, a score of 25 or higher would warrant an additional investment in 
cyber security. Just like the CARVER model, this number is subjective but is 
reasonable because the number is based on an increase in cyber vulnerabilities 
that would in turn cost more in system recovery. For example, at the 5-6 scoring 
level in the CREV model, systems affected by an attack incur more cost in time 
and recovery. These factors decrease system production and would therefore 
warrant additional cyber security for the attacked systems. 

The new CREVS model (Figure 2) lends major advantages for analyzing 
cyberattacks. Not only are essential cyber elements presented, but this model 
allows them to be weighed with more accurate, documented cyberattack data. 
However, like all models, the CREVS model does have its shortcomings. Like 
the CARVER model, the CREVS model is simplistic and does not allow 
organizations to assign either an unknown likelihood or an unknown severity to a 
particular factor. For example, looking at the Shock element in the new model, 
the severity to subpopulations is unknown, so the impact is assumed. 
Nonetheless, the CARVER -i- Shock model is widely accepted in Federal 
agencies, such as the Food Safety and Inspection Service (FSIS) and the Food 
and Drug Administration (FDA). These agencies praise this method and 
recommend other agencies utilize the model to evaluate potential vulnerabilities 
within their respective computer systems or infrastructures.28 Therefore, the 
adapted CREVS model represents the best framework available for analyzing 
cyber security. 

28 “Detect, Deploy, and Defend Against Outside Threats,” Novell, 2006 http://www.novell.com 
Accessed (July 27, 2007). Criteria from original CARVER Model: Target characteristics allow for 
easy introduction of sufficient agents to achieve aim. Target characteristics almost always allow 
for easy introduction of sufficient agents to achieve aim. Target characteristics allow 30 to 60% 
probability that sufficient agents can be added to achieve aim. All three of these are changed in 
the new model, respectively, to: No software security installed with no security procedures in 
place. Minimal software security installed with minimum security procedures in place. Medium 
software security installed with adequate security procedures in place. 
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Criticality Scale 

Definition: An attack is critical when the attack had significant recovery costs. 


CRITERIA 

SCALE 

Recovery costs > $64 Billion 

9-10 

Recovery costs > $8 Billion -$64Billion 

7-8 

Recover costs = $1 Billion - $8 Billion 

5-6 

Recovery costs = < $1 Billion 

3-4 

Recovery cost = < $ 100 Million 

1-2 


Recuperability Scale 

Definition: Time it took to recover from the attack 


CRITERIA 

SCALE 

> 1 year 

9-10 

6 months to one year 

7-8 

>3-6 months 

5-6 

1 -3 months 

3-4 

< 1 month 

1-2 


Effect Scale 

Definition: System productivity damaged by the attack 


CRITERIA 

SCALE 

> 50 of system’s production was impacted 

9-10 

>25%-50 % of system’s production was impacted 

7-8 

>10%-25% of system’s production was impacted 

5-6 

1%-10% of system’s production was impacted 

3-4 

< 1% of system production was impacted 

1-2 


Vulnerability Scale 

Definition: Level of software security installed on system/systems attacked. 
Factors that Influence Security: 

• Level of software security installed 

• Level of enforcement of security procedures (i.e. security and password 
protection) 


CRITERIA 

SCALE 

No software security installed with no security procedures in place 

9-10 

Minimal software security installed with minimum security procedures in place 

7-8 

Medium software security installed with adequate security procedures in place 

5-6 

Medium software security installed with high level security procedures in place 

3-4 

Maximum software security installed with high level security procedures in 
place 

1-2 
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Shock Scale 

Definition: Combined measure of psychological and economic impacts of a 
successful attack on system/systems 
Factors that Influence Shock: 

• Loss of life 

• Number of casualties 

• Critical Infrastructure damage 


CRITERIA 

SCALE 

Loss of over 10,000 lives. Major psychological impact on sensitive 
subpopulations, e.g., children or elderly. National economic impact > $100 
billion. 

9-10 

Loss of life between 1,000 and 10,000. Significant psychological impact on 
sensitive subpopulations e.g., children or elderly. National economic impact 
between $10 and $100 Billion 

7-8 

Loss of life between 100 and 1000. Moderate psychological impact on 
sensitive subpopulations e.g., children or elderly. National economic impact 
between $1 and $10 billion. 

5-6 

Loss of life less than 100. Small psychological impact on sensitive 
subpopulations e.g., children or elderly. National economic impact between 
$100 million and $1 billion. 

3-4 

No loss of life. National economic impact >$100 million. 

1-2 


Figure 2. CREVS MODEL 
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II. VULNERABILITY OF COMPUTERS AND NETWORKS TO 

CYBERTERRORISM 

A. CODE RED AND SLAMMER WORM INTRODUCTION 

The Code Red Worm was an Internet-based worm that was first reported 
at a university in Guangdong, China on July 17, 2001. This worm attacked 
numerous Web servers causing certain web pages to become inoperable. In 
addition, this propagating worm installed “backdoors” on the infected Web 
servers, making them vulnerable to hijacking by other cyber attackers who know 
how to exploit this type of vulnerability. The worm was particularly problematic 
because it spread much faster than other worms. Due to the speed and 
permeation of the worm, it was able to affect an estimated 250,000 systems in 
nine hours.29 The reason why the worm spread so rapidly was due to its design. 
The Code Red worm’s design was such that it could scan the Internet, identify 
vulnerable systems, and then infect those systems by installing itself. As each 
newly installed worm joined other previous installed Code Red worms, the rate of 
scanning increased rapidly, infecting other vulnerable systems. This was the 
most harmful aspect of the Code Red Worm. Not only did the worm have the 
ability to broadcast to the Internet information about other servers that were 
vulnerable to the malicious code it carried, it also left certain Web servers wide 
open to other attacks not related to the Code Red Worm.30 

The Slammer Worm was the fastest computer Internet worm in history. It 
hit on 25 January 2003 and infected more than 90 percent of host computers 
within 10 minutes. The Slammer Worm “spread nearly two orders of magnitude 


29 Information Security, testimony of Mr Keith A. Rhodes, Report number GAO-01-1073T, 
Washington, D.C., Government Accountability Office, 4-7. 

20.“Code Red Worm Propagation Modeling and Analysis” (November 2002) http://www- 
unix.ecs.umass.edu/~aona/papers/codered.pdf Accessed (September 1,2007). 

15 





faster than Code Red.”3'' As the worm spread throughout the Internet, “it 
doubled in size every 8.5 seconds.”32 The most harmful aspect of the Slammer 
Worm was the worm’s capability to overload networks. Many sites lost 
connectivity due saturated bandwidth and there were several reports of Internet 
backbone disruption. This caused network outages, airline flight system failures, 
interference with the 2003 elections, and ATM failures. The worm also left some 
Web servers vulnerable to other possible attacks by different computer viruses 
and other diverse worms.33 

B. IMPACT OF THE WORM ATTACKS 


Table 2 illustrates the approximate speed of worm permeation, infected 
systems, infected servers, conveys recovery cost information, and shows the 
significant decrease of performance in the Internet for both worms. 


Case 

Speed of 

Worm 

Permeation 

Infected 

Systems 

Infected 

Servers 

Recovery 

Costs 

Decrease in 

Internet 

Performance 

Code Red 

9 Hours 

250,000 

975, 000 

$2.4 Billion 

25% 

Slammer 

10 Minutes 

70,000 

N/A 

$1 Biiiion 

35% 


Table 2. Worm Analysis34 


Together the worm attacks infected more than 300,000 systems and 
975,000 servers in less than 10 hours.35 |n addition, the attacks disrupted both 


31 David Moore, “The Spread of the Sapphire/Slammer Worm,” CAIDA & USSD CSE, 2003, 
http://www.caida.orq/publications/papers/2003/sapphire/sapphire.html Accessed (September 1, 
2007). 

32 Ibid., 2. 

33 Paul Boutin, “Slammed!,” WIRED, July 2003, 

http://www.wired.eom/wired/archive/11.07/slammer.html Accessed (September 1.2007). “Robert 
Lemos, “Counting the cost of Slammer,” C/net News, http://www.news.eom/2100-1001- 
982955.html; “Inside the Slammer Worm,” Computer Society, July/August 2003, 
http://computer.orq/secuirtv/ Accessed (September 1,2007). 

34 Information Security, testimony of Mr Keith A. Rhodes, Report number GAO-01-1073T, 
Washington, D.C., Government Accountability Office, 7-9. 
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government and business operations, by slowing Internet services down by more 
than 25% and forcing some organizations to disconnect themselves from the 
Internet. The estimated losses resulting from the worm attacks are $3.4 billion. 
These involve costs associated with cleaning infected systems and returning 
them to normal service, inspecting servers to determine the need for software 
patches, patching and testing services, and the negative impact on the 
productivity of system users and technical staff.36 

The impacts of both attacks were contained by programmers spending 
time modeling the worms and finding their flaws. They found several 
programming errors by the hackers, which allowed them to design and configure 
a patch to eliminate the worm and repair defaced web pages the worms had 
compromised. The total time of patch preparation and installation on infected 
systems is estimated at 72 hours.37 in addition to the patch, programmers were 
able to design an algorithm that when installed could make a detailed list of exact 
number of machines attacked and effected. This greatly facilitated the worm 
eradication process because programmers did not have to waste time on 
unaffected systems. Instead, they could look at additional vulnerabilities in the 
actual attacked networks and systems.38 


38 “Cisco Security Advisory: “Code Red” Worm - Customer Impact” (Juiy 2001) 
http://www.cisco.eom/warp/public/707/cisco-sa-20010720-code-red-worm.shtmi Accessed 
(September 1, 2007). Information Security, testimony of Mr Keith A. Rhodes, Report number 
GAO-01-1073T, Washington, D.C., Government Accountability Office, 9-10. 

36 Ibid., 2-5. 

37 David Moore, “The Spread of the Sapphire/Slammer Worm,” CAIDA & USSD CSE, 2003, 
http://www.caida.orq/publications/papers/2003/sapphire/sapphire.html Accessed (1 September 
2007). 

36 “Code Red Worm Propagation Modeling and Analysis” (November 2002) 
http://www.cisco.eom/warp/public/707/cisco-sa-20010720-code-red-worm.shtml Accessed 
(September 1, 2007). Cisco Security Advisory: “Code Red” Worm - Customer Impact” (July 2001) 
http://www.cisco.eom/warp/public/707/cisco-sa-20010720-code-red-worm.shtml Accessed 
(September 1,2007). 
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c. 


CREVS ANALYSIS 


An analysis was conducted looking at five main factors presented in the 
model. Where the total score is 25 or greater, additional cyber measures should 
be invested in the prevention of future cyber attacks. A score of below 25 
indicates that recovery costs are low enough that more security is not necessary. 
Tables 3-7 convey each individual score as it relates to the model in Figure 1. 

1. Criticality Factor 


This factor considers the total direct cost of recovery from the attack itself. 
In both cases, costs were mainly for labor. There were no reported costs in the 
areas of hardware or software^^ 


Case 

Case Data 

Model Criteria and Score 

Score 

Code Red 

$2.4 Billion 

Recovery costs = $1 Billion- 
$8 Billion 

5 

Slammer 

$1 Billion 

Recovery costs = $1 Billion- 
$8 Billion 

5 


Table 3. CREVS Criticality Results 


2. Recovery Factor 


This factor considers the total restoration time it took to recover from the 
cyber attack.^o 


Case 

Case Data 

Model Criteria and Scale 

Score 

Code Red 

3 Months 

1-3 months 

3 

Slammer 

3 Months 

1-3 months 

3 


Table 4. CREVS Recovery Factor Results 


39 Information Secuirty, testimony of Mr Keith A. Rhodes, Report number GAO-01-1073T, 
Washington D.C., Government Accountability Office, 4-5. 

40 Ibid.. 2-4. 
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3. 


Effect Factor 


This factor considers the percentage of productivity lost from the cyber 
attacks. Reports indicate the following loss in productivity:4i 

• Several federal agencies had to change the numeric Internet 
address that identified its Web Site to the public. 

• The DOD was forced to briefly shut down its public web sites. 

• The Treasury Department’s Financial Management service had to 
disconnect from the Internet for approximately two weeks. 

• Loss of Hotmail caused outages for users of Qwest’s high-speed 
Internet services nationwide. 

• Fedex had to delay package deliveries for up to 10 days. 

• Networks across Asia, Europe, and the United States were 
effectively down. 

• Bank of America customers could not withdraw funds from its 
13,000 ATMs. 

• Continental Airline agents had to revert to the old fashioned way of 
business, using phones, and pen and paper to record reservations 
and electronic tickets. This caused numerous flight delays and 
cancellations. 

Reports state that all of the above productivity losses for the Code Red 
and Slammer worm account for 25% loss in Internet production. Since the total 


41 All Effect Factor bullets were taken from: “Cisco Security Advisory: “Code Red” Worm - 
Customer Impact” (July 2001) http://www.clsco.eom/warp/publlc/707/clsco-sa-20010720-code- 
red-worm.shtml Accessed (September 1,2007). Information Security, testimony of Mr Keith A. 
Rhodes, Report number GAO-01-1073T, Washington, D.C., Government Accountability Office, 5. 
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restoration time in both cases was 3 months, this number has been refigured to 
meet an annual productions loss. Based on this, the total Internet production 
loss in both worm attacks were 6%42 


Case 

Case Data 

Model Criteria and Scale 

Score 

Code Red 

6% of Internet 
production was 
impacted 

1% -10% of system’s 
production was impacted 

4 

Slammer 

6% of Internet 
production was 
impacted 

1%-10% of system’s 
production was impacted 

4 


Table 5. CREVS Effect Factor Results 


4. Vulnerability Factor 

This factor measures the level of security installed on the system prior to 
the cyber attack. The level of software security installed and the level of 
enforcement are combined to formulate the actual score in this area. All systems 
affected by both worms had minimal software security installed with minimum 
security procedures in place. It was reported that on some computer systems 
the minimal level of spy ware and antivirus protection was installed, 60% of the 
employees that were operating infected systems did not properly change their 
passwords as outlined in their security procedures, and systems lacked the 
proper Intrusion Detection System (IDS) that is available for all systems.43 
These prevention methods are essential because they “harden” the system and 
prevent these types of attacks from occurring.44 if an IDS is properly used and 


42 Information Security, testimony of Mr Keith A. Rhodes, Report number GAO-01-1073T, 
Washington, D.C., Government Accountability Office, 5. By changing the production loss to an 
actual annual figure gives a more realistic number for the model. For instance, if organizations 
lose 25% of their productivity for 60 days due to Internet performance, they are not losing the 
production for the whole year. This adjustment ensures the model captures the most accurate 
data to assess attacks. 

43 Information Secuirty, testimony of Mr Keith A. Rhodes, Report number GAO-01-1073T, 
Washington D.C., Government Accountability Office, 6. “Inside the Slammer Worm,” Computer 
Soc/efy,July/August 2003, http://computer.ora/securitv/ Accessed (September 1,2007). 

44 Ibid., 3-5. 
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installed, it can catch worms with a similar design. The Slammer worm for 
instance, was a duplicate of a previously thwarted worm attack months earlier, 
but since attacked systems had no IDS installed, the worm was able to spread 
undetected.45 in addition, in both worm attacks organizations failed to ensure 
they had a proper security model in place. The security model is absolutely 
necessary in dealing with cyber security because with this process, an 
organization, without an additional investment in cyber security, can develop a 
precise and unambiguous statement of cyber security policy that would facilitate 
in the prevention of cyber attacks. This is due to the fact that the model forms 
adequate policy, and conveys what security level users are authorized to access. 
This gives added protection to cyber security as it alleviates the number of 
individuals having access to sensitive files that could possible be sold to 
adversaries to infiltrate systems and networks.46 Due to the above facts, a 
CREVS score of 7 was given in this area.47 


Case 

Case Data 

Model Criteria and Scale 

Score 

Code Red 

Minimum software security 
installed with minimum 
security procedures in place 

Minimum software 
security installed with 
minimum security 
procedures in place 

8 

Slammer 

Minimum software security 
installed with minimum 
security procedures in place 

Minimum software 
security installed with 
minimum security 
procedures in place 

8 


Table 6. CREVS Vulnerability Factor Results 


45 Paul Boutin, “Slammed!,” Wired, July 2003, 
http://www.wired.eom/wired/archive/11.07/slammer.html . Accessed (1 September 2007). 

46 “Detect, Deploy, and Defend Against Outside Threats,” Novell, 2006 http://www.novell.com 
Accessed (September 1,2007). 

47 Ibid., 6. 
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5. 


Shock Factor 


This factor focuses on loss of lives, the impact on subpopulations, and the 
National economic impact. Since no loss of lives occurred from this attack and 
there was no economic impact to the U.S. economy, the score in this area was 1. 


Case 

Case Data 

Model Criteria and Scale 

Score 

Code Red 

No loss of life 
and zero 
Worldwide 
economic impact 

No loss of life and Wordwide 
economic impact > $100 
million 

1 

Slammer 

No loss of life 
and zero 
Worldwide 
economic impact 

No loss of life and Wordwide 
economic impact > $100 
million 

1 


Table 7. CREVS Shock Factor Results 


D. CONCLUSION 

The cumulative total for both cases using the analysis model was 21. 
Since this score is below the number identified in the model as an indicator to 
spend additional funds on cyber defense, this case, as presented, suggests that 
recovery is more cost effective than additional investment security for cyber 
defense. 

How might the effects of the attacks have been different had they been 
undertaken by terrorists rather than hackers? The attack as presented, was 
performed by individuals who saw it as a “challenge” to write programmable 
malicious worms and introduce them into the governmental, critical infrastructure, 
and private information systems sectors. These individuals were not attempting 
to cause national economic loss or fear. They simply looked at proposed targets 
as a challenging game where the goal of the game was to slow down system 
performance while causing a huge annoyance for system administrators. 


22 








Terrorist organizations are after maximum economic damage and fear 
with low attack costs. Worms are very simple to create at minimal cost. 
Although the exact costs of the worms are unknown, some are so simplistic that 
they could be written within a very short amount of time. With this stated, a 
terrorist worm would produce the same economic loss as one produced by 
hackers, but could produce significantly more fear. If a terrorist organization 
used the same technology but announced across affected computer screens, “Al 
Qaeda has taken over all computer systems,” the psychological effect would be 
quite different from a hacker attack. In fact, this could push the Shock score to 
the 5-6 range, which would produce a total score higher than the 25 tipping point. 
Thus, this case assessment suggests that terrorists could be interested in this 
type of cyber attack, and the total costs of such an attack would indicate a need 
for improve security rather than simply recover. 

However, it would be rather simple to reduce the scores for future worm 
attacks significantly. In both worm attacks, costs and recovery time would have 
been substantially lower had the proper security software been installed, had 
security personnel developed more in-depth procedures for thwarting attacks, 
and/or had the proper network tools and techniques for combating attacks been 
employed. These three defense tactics are already available and in most cases, 
are free with the purchase of necessary operating systems.48 Although it is not 
apparent how the worms were introduced to computer systems or to the Internet, 
it is assumed that introduction was through web servers. In this method, the 
attacker breaks password protection on the server, gaining full access to install 
malicious code. In both cases, security guidance lacked the necessary content 
on password preparation and administration. Many passwords were not 
prepared to withstand possible intrusion: 40% of users’ passwords were the 
name of a pet, spouse, or sport.49 These passwords can be easily discovered by 


48 “Virulent Worm Calls into Doubt Ability to Protect the Net” (July 2001) 
http://www.news.com/2009-1001 -270471 .html Accessed (September 1,2007). 

49 Ibid.. 2. 
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free password breaking software that is available on the Intranet or by advanced 
computer programmers who know how to write algorithms to crack carelessly 
chosen passwords. Alternatively, the worms may have been introduced through 
individual computer systems. In this method, the attacker looks for an 
unattended system, on which the user has not logged out and/or the system are 
not properly locked, and then installs the malicious code through the unattended 
system. In both worm attacks, software security that could have preempted this 
method of introduction were set at the minimal level, and thus failed to do so. 
This allows unattended systems “free reign” for potential hackers that work within 
a company. Setting security settings to the maximum level prevents unattended 
systems from being hacked into as they are locked out and can only be unlocked 
by the authorized user of the respective system. Finally, the worms could have 
been introduced by personnel with access to government, public, or private 
computers.50 in this case, prevention would have fallen back on the same 
security software that could have limited introduction via web servers. 

Thus, another lesson of the case is that existing prevention measures can 
substantially reduce the costs of an attack, if they are actually in place. If 
attacked systems were properly maintained with the firewall security and anti¬ 
virus software that was purchased with server operating systems, there would 
have been a minimal loss of production because the worm would have been 
detected and eradicated before it reached certain portions of the Internet. To 
correct this problem, the government should take the “high road” and establish 
stricter standards for maintaining cyber security. Moreover, they need to share 
their new standards with the private and public sector and convince these sectors 
that cyber security is a team effort. It would not be probable for the government 
to mandate stricter security standards, but it can certainly offer these sectors 
incentives to do so or educate them on what they would be saving on recovery 

50 “A Computing Can Of Worms” (July 2004) 

http://www.cbc.ca/news/backqround/internet/worms.html Accessed (September 1,2007). “The 
Menace of Worms” (October 2007) http://www.emisissoft.com/en/kb/articles/tec050629 Accessed 
(September 1,2007). 
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and productions costs if they were to adopt the stricter standards and use the 
prevention tools available. This team effort would have reduced the scores in the 
Code Red and Slammer worm incidents to the 1-2 level in all elements, reducing 
the overall score from 23 to between 5 and 10. (The exact score would depend 
not strictly predicable because even with the strictest standards, error can occur.) 

The analysis also showed that in general, available network tools and 
techniques are not properly utilized. Security personnel fail to use the available 
hardware that scans systems for worm vulnerabilities. 51 Network administrators 
fail to use the available password cracking software tools to assess the password 
strength of assigned users, utilize effective network monitoring tools available 
that would identify suspicious network activity, or develop the suggested 
distribution lists of the most common types of vulnerabilities and their respective 
corrective actions. If these available tools and techniques were utilized fully, 
malicious worms like the Code Red and Slammer would cause much less 
damage, or no damage at all, and the threat of cyberterror attacks against 
computers and networks would be negligible. 


A Computing Can Of Worms” (July 2004) 

http://www.cbc.ca/news/backqround/internet/worms.html Accessed (September 1,2007). “The 
Menace of Worms” (October 2007) http://www.emisissoft.com/en/kb/articles/tec050629 Accessed 
(September 1,2007). 
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III. VULNERABILITY OF CRITICAL INFRASTRUCTURES TO 

CYBERTERRORISM 


A. INTRODUCTION 

This chapter will assess the vulnerability of critical infrastructures to 
cyberterrorism, evaluate the impact this type of attack would likely have on the 
national economy, and consider whether existing prevention measures are 
adequate or increased investment in network security is required. The case 
examined here is simulated, since there have been no cyber attacks on critical 
infrastructures to date. The assessment first looks at the simulated Attack 
Aurora, using CREVS to assess the likely impact of an actual replication of the 
simulated attack. .Because those involved with the simulation concluded that it 
demonstrated the plausibility of a large scale attack using the same strategy, this 
chapter will also utilize CREVS to assess the likely impact of a larger scale 
version of the simulated attack. Although the data generated by the simulation, 
and especially the large scale attack modeled on the simulation, are less certain 
than in the previous case, the fact that this was a simulated terrorist attack allows 
us to have more confidence that the contours of the case capture those of an 
actual terrorist, as opposed to a mischievous, attack. 

B. STAGED CYBERATTACK AURORA BACKGROUND 

“The electrical power system in U.S. has more than 16,770 individual 
power-generating units installed in 2,880 plants, with a combined capacity 
exceeding 1,000 million kilowatts. ”^2 ip September 2007, researchers from the 
Department of Energy’s Idaho lab conducted a staged cyber attack, hacking into 
a replica of a single power plant’s control system. Once access was achieved, 
attackers were able to change the operating cycle of one of the power-generating 

Jay Apt, M. Granger Morgan, and Lester B. Lave, “Electricity: Protecting Eseential 
Services,” in Seeds of Disaster, Roots of Repsonse (New York, NY:Cambridge University Press, 
2006), 164. 
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units, sending it out of control. Sources familiar with the experiment concluded 
that the Aurora attack scenario illustrated that “very large critical pieces of 
equipment can be controlled with this type of attack” and that once adversaries 
gain control of critical components, they can make the components do whatever 
they want.54 

1. Altering Attack Parameters 

Since the security hardware in the electrical power systems’ infrastructure 
is the same in every electrical plant, the biggest concern arising from the 
simulated attack was that individuals, groups, or cyber-terrorists using the same 
attack strategy could easily coordinate larger attacks that would cause 
widespread damage to the electric infrastructure.^5 Therefore, this chapter 
considers both an attack on a single plant and an attack, using the same 
technical expertise and strategy, on (an arbitrary) one third of the 16,770 power 
generating units simultaneously.56 

C. CREVS ANALYSIS 

The following results reports results for an Aurora-style attack on one and 
then 5534 power-generation units (one third of the 16,770 units in the U.S). 
Estimates are based on simulation parameters as discussed in the case study.57 
As in the previous chapter, where the total score is 25 or greater, additional cyber 
measures should be invested in the prevention of future cyber attacks. A score 


Jeanne Meserve, “Sources: Staged cyber attack reveals vulnerability in power grid,” CNN, 
September 26, 2007, http://www.cnn.eom/2007/US/09/26/power.at.risk/index.html. 

Ibid. 

55 Ibid. 

56 Staged cyber attack reveals vulnerability in power grid, web live video, directed by CNN 
Accessed on line at http://www.cnn.eom/2007/US/09/26/power.at.risk/index.html (September 
2007). 

57 Ibid. 
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below 25 indicates that recovery costs are low enough that more security is not 
necessary. Tables 8-12 convey each individual score as it relates to the model 
in Figure 2. 

1. Criticality Factor 

This factor considers the total amount of funds needed to recover from the 
attack itself. Table 8 lists the scores for both attacks. In the original simulated 
attack, the total recovery costs were minimal. Assumed recovery costs of an 
attack based on the simulated parameters of one power-generated unit would 
equal $100 million. 58 Costs are caused mainly by labor expenditures and 
machinery replacement.59 Assumed recovery costs for 5534 power-generation 
units is estimated at $5.5 billion. Due to the fact that so many power-generation 
units are affected, costs would include not only labor expenditures and 
machinery replacement, but lost income to workers and investors, and losses 
due to food and commodity spoilage. 50 


Case 

Case Data 

Model Criteria and Score 

Score 

Aurora 

$100 Million 

Recovery costs < $ Billion 

3 

Altered Aurora 

$5.5 Billion 

Recovery costs = $1 Billion- 
$8 Billion 

4 


Table 8. CREVS Criticality Results 


88 Jay Apt, M. Granger Morgan, and Lester B. Lave, “Electricity: Protecting Essential 
Services,” in Seeds of Disaster, Roots of Repsonse (New York, NY:Cambridge University Press, 

2006) , 165. 

89 Staged cyber attack reveals vulnerability in power grid, web live video, directed by CNN 
Accessed on line at http://www.cnn.eom/2007/US/09/26/power.at.risk/index.html (September 

2007) . 

80 Jay Apt, M. Granger Morgan, and Lester B. Lave, “Electricity: Protecting Eseential 
Services,” in Seeds of Disaster, Roots of Repsonse (New York, NY:Cambridge University Press, 
2006), 175. 
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2 . 


Recuperability Factor 


This factor considers the time it took to recover from the cyber attack. 
Table 9 lists the scores for both attacks. For an attack of one power-generated 
unit, recovery time would be approximately one week.61 Estimated recovery time 
for 5534 power-generation units is three months.62 


Case 

Case Data 

Model Criteria and Scale 

Score 

Aurora 

One Week 

< 1 month 

1 

Altered Aurora 

Three months 

1-3 months 

5 


Table 9. CREVS Recuperability Results 


3. Effect Factor 


This factor considers the percentage of productivity lost as a result of the 
cyber attack. Since the electric power system extends to other critical national 
infrastructures, critical productivity would be lost in the following critical areas:63 

• Information Technology 

• Telecommunications 

• Banking 

• Transportation 

• Emergency Services 

Table 10 lists the scores for both attacks. An attack of one power¬ 
generated unit would result in no production loss. 64 An emergency generator 


61 Jay Apt, M. Granger Morgan, and Lester B. Lave, “Electricity: Protecting Eseential 
Services,” in Seeds of Disaster, Roots of Repsonse (New York, NY:Cambridge University Press, 

2006) , 175. 

62 Staged cyber attack reveals vulnerability in power grid, web live video, directed by CNN 
Accessed on line at http://www.cnn.eom/2007/US/09/26/power.at.risk/index.html (September 

2007) . 

63 13 . Michael Kormos and Thomas Bowe. “Coordinated and Uncoordinated Crisis 
Responses By The Electrical Industry,” in Seeds of Disaster, Roots of Repsonse (New York, 
NY:Cambridge University Press, 2006), 162. 

64 Ibid. 
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would initiate and could run for 24 hours. Since only one-power generated unit is 
affected, services would not be affected, so additional fuel would be available to 
keep the generator operating until replacement of the power-generated unit (1 
week). Production loss with an attack on 5534 power-generation units is 
estimated at 37%. Since the total restoration time is 3 months, this number has 
been refigured to meet an annual production loss. Based on this, total loss in 
production of electrical power would be 9%.65 Taking out so many units 
simultaneously increases recovery time, which affects production. Also, other 
critical infrastructures would be affected (these losses are included in the shock 
factor below) making fuel harder to acquire for backup generators.66 


Case 

Case Data 

Model Criteria and Scale 

Score 

Aurora 

0 

< 1% of systems production 
in electrical power sector 

0 

Altered Aurora 

9% 

1%-10% production in 
electrical power sector 

4 


Table 10. CREVS Effect Results 


4. Vulnerability Factor 

This factor focuses on the level of security installed on the system prior to 
the cyber attack. Table 11 lists the scores for both attacks. The level of software 
security installed and the level of enforcement are combined to formulate the 
actual score in this area. All systems affected by the simulated Aurora attack 
had medium software security installed with adequate security procedures in 
place. However, commercially available security hardware focuses on 

66 Staged cyber attack reveals vulnerability in power grid, web live video, directed by CNN 
Accessed on line at http://www.cnn.eom/2007/US/09/26/power.at.risk/index.html (September 
2007). Number recalculated as discussed on pg 11 of this thesis. The report indicated that 37% 
of electrical power production would be impacted. Based on the total restoration time of three 
months, the annual percentage impact would be 9%. 

66 Ibid 
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“traditional Internet and corporate application layer protocols,” which cannot 
analyze or filter Supervisory Control and Data Acquisition (SCADA) packets at 
the level needed for increased system security.67 (“SCADA refers to a system 
that collects data from various sensors at a factory, plant or in other remote 
locations and then sends this data to a central computer which then manages 
and controls the data.”)68 Technologically advanced terrorist groups could use 
this vulnerability to access certain software applications and thereby gain 
operating system control over critical infrastructure components. This is exactly 
what happened in the simulated Aurora attack.69 Because security hardware in 
the electrical power systems’ infrastructure is the same in every electrical plant, 
changing the parameters of the attack does not change the CREVS score on this 
element. 


Case 

Case Data 

Model Criteria and Scale 

Score 

Aurora 

Medium software 
installed with 
adequate security 
procedures in place 

Medium software 
installed with adequate 
security procedures in 
place 

5 

Altered Aurora 

Medium software 
installed with 
adequate security 
procedures in place 

Medium software 
installed with adequate 
security procedures in 
place 

5 


Table 11. CREVS Vulnerability Results 


Staged cyber attack reveals vulnerability in power grid, web live video, directed by CNN 
Accessed on line at http://www.cnn.eom/2007/US/09/26/power.at.risk/index.html (September 
2007). 

“What is SCADA?” http://www.tech-faa.com/scada.shtml Accessed (September 1,2007) 

69 Jeanne Meserve, “Sources: Staged cyber attack reveals vulnerability in power grid,” CNN, 
September 26, 2007, http://www.cnn.eom/2007/US/09/26/power.at.risk/index.htm. 
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5. 


Shock Factor 


This factor focuses on loss of lives, the impact on subpopulations, and the 
national economic impact. An attack on only one power-generated unit would 
not cause any loss of life, would have no psychological impact, and would not 
impact the national economy. 

In contrast an attack on 5534 power-generating units would have a much 
greater effect. Estimated economic damage is $700 billion dollars.70 Some 
experts believe economic losses could be significantly higher than this, arguing 
that since the electrical infrastructure affects other critical infrastructures, a broad 
array of services would come to a halt. The CREVS model scores any loss over 
$100 billion as a 10, so debates about the likely overall losses do not affect my 
results. 


Case 

Case Data 

Model Criteria and Scale 

Score 

Aurora 

No pschological 
impact on sensitive 
subpopulations and 
no economic impact 

No loss of life and no 
economic impact 

0 

Altered Aurora 

Major psychological 
impact on sensitive 
subpopulations. 

$700 Billion in 
national economic 
damage 

Major psychological 
impact on sensitive 
subpopulations. 

National economic 
impact > $100 Billion 

10 


Table 12. CREVS Shock Results 


70 Staged cyber attack reveals vulnerability in power grid, web live video, directed by CNN 
Accessed on line at http://www.cnn.eom/2007/US/09/26/power.at.risk/index.html (September 
2007). 
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D. CONCLUSION 

The total CREVS score for the Aurora case with one power-generated unit 
successfully attacked is 9. Since this score is far below the number identified in 
the model as an indicator to spend additional funds on cyber defense, this 
simulated case suggests that recovery is sufficient, and no additional investment 
for cyber defense is needed. However, for Altered Aurora case with 5535 power¬ 
generated units being affected simultaneously the CREVS score to 28. Since 
this number is above the tipping point of 25, this suggests that additional 
investment for cyber defense is in fact needed in securing the electrical critical 
infrastructure against cyber attacks. 

The Altered Aurora analysis suggests that the potential damage from a 
cyber attack on the electrical critical infrastructure is sufficiently large to make it 
appealing for terrorists to invest in this type of attack.’^'’ Today’s terrorist leaders 
know that the main benefit of attacks on critical infrastructures is not the 
immediate damage they inflict, but the erosion of public confidence and impact 
on the national economy. The loss of public confidence in critical infrastructures 
could cause panic, instilling fear that could cause citizens to lose trust in systems 
that are used to manage daily transactions. For instance, an attack of the 
Altered Aurora magnitude would likely cause individuals to doubt the security of 
commercial applications that are used in personal banking and on-line sales, 
exacerbating the impact of the attack. Al Qaeda spent $500,000 on the 
September 11 attacks, while the U.S. spent $500 billion to recover.'^^ por every 
dollar Al Qaeda spent to attack, the U.S. spent $1 million to recover.'^s The 


Staged cyber attack reveals vulnerability in power grid, web live video, directed by CNN 
Accessed on line at http://www.cnn.eom/2007/US/09/26/power.at.risk/index.html (September 
2007). 

^2 3 . Stephen E. Flynn. “The Brittle Superpower” in Seeds of Disaster, Roots of Repsonse 
(New York, NY:Cambridge University Press, 2006), 4-6. 

73 Ibid., 4-7. 
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Altered Aurora attack would cost terrorists an estimated $5 million to engineer/^ 
and would produce a recovery price tag of $700 billion.75 While almost an order 
of magnitude lower than the return on 9/11, this is still a more than adequate 
return on the investment. 

Therefore, additional security is necessary. Although there has not been a 
cyber attack to date, the Aurora simulation shows that the electrical critical 
infrastructure is vulnerable, and existing security measures are insufficient to 
prevent massive economic, and probably psychological, damage.76 Although the 
nation’s electrical infrastructure is resilient, it is dependent upon other critical 
infrastructures, which are more vulnerable. Information services in particular are 
crucial in the performance of the electrical infrastructure.77 “[VJirtually all of the 
command-and-control systems used by operators to manage the electrical grid 
depend on computer systems and networks.”78 In turn, these systems depend 
upon software applications to run accurately and effectively. In the past, these 
applications were designed in a highly customized standalone manner. 
However, budget constraints have led infrastructure managers to shift from a 
reliance on propriety control systems to the use of “open” systems and industry 
standard protocols.79 in fact, many of the open source systems are 
manufactured overseas.80 This adds to the vulnerability of critical infrastructures 

74 Staged cyber attack reveals vulnerability in power grid, web live video, directed by CNN 
Accessed on line at http://www.cnn.eom/2007/US/09/26/power.at.risk/index.html (September 
2007). 

76 Jeanne Meserve, “Sources: Staged cyber attack reveals vulnerability in power grid,” CNN, 
September 26, 2007, http://www.cnn.eom/2007/US/09/26/power.at.risk/index.html. 

76 Jeanne Meserve, “Sources: Staged cyber attack reveals vulnerability in power grid,” CNN, 
September 26, 2007, http://www.cnn.eom/2007/US/09/26/power.at.risk/index.html. 

77 3 . Stephen E. Flynn. “The Brittle Superpower” in Seeds of Disaster, Roots of Repsonse 
(New York, NY:Cambridge University Press, 2006), 135. 

76 2. National Infrastructure Security Co-ordination Centre, NISCC Good Practice Guide on 
Firewall Deployment for SCADA and Process Control Networks, prepared by National 
Infrastructure Security Co-ordination Centre, http://www.cpni.gov.uk/docs/re-20050223- 
00157.pdf. 

79 Ibid. 

60 Jeanne Meserve, “Sources: Staged cyber attack reveals vulnerability in power grid,” CNN, 
September 26, 2007, http://www.cnn.eom/2007/US/09/26/power.at.risk/index.html. 
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like electricity as personnel at the overseas locations have access to control 
system schematics and the programmable source code that manages system 
capability and performance.If terrorist groups purchased valuable schematic 
and source application code, they would have full access to control power 
sources as the simulated Aurora attack did; thus, a real attack of this nature is 

possible.82 

The Altered Aurora scenario suggests the need for investments in 
improved system security specifically. Although information systems had 
adequate security software installed in the Aurora simulation, they lacked the 
security hardware (i.e., firewalls, routers, switches) necessary to thwart the 
attack.83 As in the worm cases, security processes lacked the necessary 
guidance on attack prevention and recovery.84 System security checklists in 
some instances were outdated, or simply were not prepared.85 

To significantly reduce all of the above vulnerabilities to cyber terror 
attacks, the U.S. would need to invest only several million dollars in the 
development of new security hardware and advanced security.86 in the 
hardware area, new security hardware has to be configured and installed to give 
additional intrusion detection to information systems that control critical 
infrastructures. This new security hardware would communicate over a secure 
channel that would give additional protection to operating systems that control 


81 Jeanne Meserve, “Sources: Staged cyber attack reveals vulnerability in power grid,” CNN, 
September 26, 2007, http://www.cnn.eom/2007/US/09/26/power.at.risk/index.html. 

82 Ibid. 

83 2. National Infrastructure Security Co-ordination Centre, NISCC Good Practice Guide on 
Firewaii Depioyment for SCADA and Process Controi Networks, prepared by National 
Infrastructure Security Co-ordination Centre, http://www.cpni.gov.uk/docs/re-20050223- 
00157.pdf. 

84 Ibid. 

85 Ibid. 

86 2. National Infrastructure Security Co-ordination Centre, NISCC Good Practice Guide on 
Firewall Deployment for SCADA and Process Control Networks, prepared by National 
Infrastructure Security Co-ordination Centre, http://www.cpni.gov.uk/docs/re-20050223- 
00157.pdf. 
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crucial infrastructures.in regards to advanced security procedures, security 
checklists need to be revised and in some cases created to reflect the most 
current procedures to prevent and recover from cyber attacks.88 These 
investments would offer again offer a significant second layer of defense, 
protecting critical devices from an external or internal attack. 


2. National Infrastructure Security Co-ordination Centre, NISCC Good Practice Guide on 
Firewaii Depioyment for SCADA and Process Controi Networks, prepared by National 
Infrastructure Security Co-ordination Centre, http://www.cpni.gov.uk/docs/re-20050223- 
00157.pdf. 

88 Ibid. 
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VI. CONCLUSION 


This thesis uses a case analysis approach to determine whether the 
current level of cybersecurity is sufficient or new investments in security are 
needed, in relation to computers, networks, and/or critical infrastructures. 

A. LESSONS LEARNED FROM CODE RED AND SLAMMER WORM 

The cases studied lend some credence to critics who argue that it is not 
necessary to secure all of cyberspace. In these attacks enough prevention was 
established to limit the attacks and facilitate robust recovery without securing the 
ephemeral space of the Internet. However, the score on the CREVS model was 
just below the tipping point of 25 for mischievous attacks on computers and 
networks, and it is possible that the additional shock associated with a similar 
attack by a terrorist organization would raise the score above the tipping point. 
However, the analysis also suggests that additional investments in computer 
and/or network security would still be unnecessary if organizations employed 
security tools, methods, and solutions that already are in place, and were 
vigilance in implementing existing security procedures. 

This finding indicates that organizations need to go further in implementing 
the National Strategy to Secure Cyperspace, which outlines the importance of 
reducing vulnerabilities of cyber attacks and minimizing damage and recovery 
times. Improved cyber security awareness would go a long way toward 
preventing cyber attacks. A study conducted by the Network Reliability and 
Interoperability Council affirms this conclusion, that organizations that follow 
appropriate available security measures (i.e. appropriate level of spy ware, IDS, 
and antivirus protection software installed) are unaffected by worm attacks.^s 


“NRIC Best Practices for ISP Security” (August 2004) 
http://www.cbc.ca/news/backqround/internet/worms.htmi Accessed (November 1,2007). 
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B. LESSONS LEARNED FROM ATTACK AURORA 

Unlike the worm attacks, the Altered Aurora analysis shows that when it 
comes to cyber protection, the electrical critical infrastructure is in need of 
additional investment. Although there has not been an attack to date, the 
simulation indicates that these infrastructures are vulnerable, which suggests that 
in this area criticisms of government efforts to increase cyber security need to be 
re-accessed. The Aurora simulation suggests the strategy and technical 
expertise are available for this type of cyber attack, and could easily be utilized to 
attack thousands of power facilities simultaneously, potentially leading to a 
cascade of effects across the national economy. In addition, the electrical 
generation infrastructure is dependent upon other critical infrastructures. 
Information services, for example, are crucial in the performance of the electrical 
infrastructure. These systems depend upon software applications to run 
accurately and effectively. Because of budgetary constraints, program managers 
have shifted from more customized and secure stand alone methodology to 
utilizing open systems and standard protocols. The fact that many of these open 
systems are manufactured overseas, compounds the problem, making the 
current status of current critical infrastructures susceptible to cyber attack. 

Overall the conclusions of this analysis fall between those of the 
government and its critics. The government is right that cyber security needs to 
be improved, while the critics are right that it is not necessary to secure all of 
cyberspace. The analysis here shows that it is feasible to improve cyber security 
with simple, cheap methods, tools, and procedures. This suggests that the 
government does not need a strategy that is all encompassing, but a strategy 
that encourages the private and public sectors to be vigilant about cyber security. 

Finally, assuming that terrorist make decisions based on a cost-benefit 
analysis, the Aurora study suggests that this type of attack is quite appealing for 
today’s terrorists: it is inexpensive to carry out and could have very significant 
economic and psychological effects. 
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C. CONCLUSION 

While the solution to improving cyber security appears to be both simple 
and inexpensive, implementing it will require significant public-private 
cooperation. Such cooperation might be achieved through the formation of a 
joint “Federal Cybersecurity Reserve System,” as suggested by Stephen Flynn in 
his book Beyond Fear.90 Flynn’s solution to managing the cumbersome 
Department of Flomeland Security is to organize it along the lines of the Federal 
Reserve System, making it into a “Federal Security Reserve System.” In the 
area of cybersecurity, a “Federal Cybersecurity Prevention and Protection 
System” could address the specific vulnerabilities identified in this thesis, 
ensuring that security measures are discussed in an open forum between the 
government, private, and public sectors. Such a bold effort would support 
improved communication between the government, public, and private sectors. 
This in turn would facilitate public and private investments in cyber security 
needed to secure the nation’s critical structures. 


90 


Stephen Flynn. America the Vulnerable (New York, HarperCollins Publisher, 2003, 65. 
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